Skip to content

[AutoPR- Security] Patch kf-kcoreaddons for CVE-2026-41526 [MEDIUM] #16992

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kgodara912 merged 2 commits into from
May 8, 2026
+80 −2
Merged

[AutoPR- Security] Patch kf-kcoreaddons for CVE-2026-41526 [MEDIUM] #16992

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
55d0f9b
Patch kf-kcoreaddons for CVE-2026-41526
azurelinux-security May 1, 2026
6f37d53
Fixing build .
AkarshHCL May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions SPECS/kf-kcoreaddons/CVE-2026-41526.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
From 33523981f61acf8e2a389f90031c6524576a18d9 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Fri, 1 May 2026 17:09:03 +0000
Subject: [PATCH] Remove control characters when quoting args

Using these characters can lead to unexpected results.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://invent.kde.org/frameworks/kcoreaddons/-/commit/6153c9ae025fa570174bb4a143df38fa2f46606b.patch
---
autotests/kshelltest.cpp | 10 +++++++++-
src/lib/util/kshell_unix.cpp | 15 ++++++++++-----
2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/autotests/kshelltest.cpp b/autotests/kshelltest.cpp
index e08bb91..afed14d 100644
--- a/autotests/kshelltest.cpp
+++ b/autotests/kshelltest.cpp
@@ -78,6 +78,14 @@ void KShellTest::quoteArg()
QCOMPARE(KShell::quoteArg(QStringLiteral("a % space")), QStringLiteral("\"a %PERCENT_SIGN% space\""));
#else
QCOMPARE(KShell::quoteArg(QStringLiteral("a space")), QStringLiteral("'a space'"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("a\x01")), QStringLiteral("a"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("\x01")), QStringLiteral("''"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("a\x02")), QStringLiteral("a"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("a\x7f")), QStringLiteral("a"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("🫠")), QStringLiteral("🫠"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("👩‍👩‍👧‍👦")), QStringLiteral("👩‍👩‍👧‍👦"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな")), QStringLiteral("ひらがな"));
+ QCOMPARE(KShell::quoteArg(QStringLiteral("ひらがな\x1")), QStringLiteral("ひらがな"));
#endif
}

@@ -123,7 +131,7 @@ void KShellTest::splitJoin()
QVERIFY(err == KShell::NoError);
#else
QCOMPARE(sj(QString::fromUtf8("\"~qU4rK\" 'text' 'jo'\"jo\" $'crap' $'\\\\\\'\\e\\x21' ha\\ lo \\a"), KShell::NoOptions, &err),
- QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''\x1b!' 'ha lo' a"));
+ QString::fromUtf8("'~qU4rK' text jojo crap '\\'\\''!' 'ha lo' a"));
QVERIFY(err == KShell::NoError);

QCOMPARE(sj(QStringLiteral("\"~qU4rK\" 'text'"), KShell::TildeExpand, &err), QStringLiteral("'~qU4rK' text"));
diff --git a/src/lib/util/kshell_unix.cpp b/src/lib/util/kshell_unix.cpp
index 616c7c1..61c0aad 100644
--- a/src/lib/util/kshell_unix.cpp
+++ b/src/lib/util/kshell_unix.cpp
@@ -294,14 +294,19 @@ inline static bool isSpecial(QChar cUnicode)

QString KShell::quoteArg(const QString &arg)
{
- if (!arg.length()) {
+ auto quoted = arg;
+ quoted.removeIf([](const QChar &input) {
+ return input.category() == QChar::Other_Control;
+ });
+ if (quoted.isEmpty()) {
return QStringLiteral("''");
}
- for (int i = 0; i < arg.length(); i++) {
- if (isSpecial(arg.unicode()[i])) {
+
+ for (int i = 0; i < quoted.length(); i++) {
+ if (isSpecial(quoted.unicode()[i])) {
QChar q(QLatin1Char('\''));
- return q + QString(arg).replace(q, QLatin1String("'\\''")) + q;
+ return q + QString(quoted).replace(q, QLatin1String("'\\''")) + q;
}
}
- return arg;
+ return quoted;
}
--
2.45.4

8 changes: 6 additions & 2 deletions SPECS/kf-kcoreaddons/kf-kcoreaddons.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Name: kf-kcoreaddons
Version: 5.249.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: KDE Frameworks 6 Tier 1 addon with various classes on top of QtCore
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -12,6 +12,7 @@ URL: https://cgit.kde.org/kcoreaddons.git
%global framework kcoreaddons

Source0: https://invent.kde.org/frameworks/%{framework}/-/archive/v%{version}/%{framework}-v%{version}.tar.gz#/%{framework}-%{version}.tar.gz
Patch0: CVE-2026-41526.patch

## upstream patches

Expand Down Expand Up @@ -42,7 +43,7 @@ developing applications that use %{name}.


%prep
%autosetup -n kcoreaddons-v%{version}
%autosetup -p1 -n kcoreaddons-v%{version}

%build
%cmake_kf
Expand Down Expand Up @@ -81,6 +82,9 @@ time \
%{_kf_libdir}/libKF6CoreAddons.so

%changelog
* Fri May 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.249.0-2
- Patch for CVE-2026-41526

* Fri Feb 02 2024 Sam Meluch <sammeluch@microsoft.com> - 5.249.0-1
- Upgrade for Azure Linux 3.0

Expand Down
Loading